Re: [websec] HSTS: max-age=0 interacting with includeSubdomains

Tobias Gondrom <tobias.gondrom@gondrom.org> Tue, 21 August 2012 19:09 UTC

Return-Path: <tobias.gondrom@gondrom.org>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FBDF21F86C8 for <websec@ietfa.amsl.com>; Tue, 21 Aug 2012 12:09:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -96.527
X-Spam-Level:
X-Spam-Status: No, score=-96.527 tagged_above=-999 required=5 tests=[AWL=-1.165, BAYES_00=-2.599, FH_HELO_EQ_D_D_D_D=1.597, FH_HOST_EQ_D_D_D_D=0.765, FM_DDDD_TIMES_2=1.999, HELO_DYNAMIC_IPADDR=2.426, HELO_EQ_DE=0.35, RDNS_DYNAMIC=0.1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S7sWV8no8d9p for <websec@ietfa.amsl.com>; Tue, 21 Aug 2012 12:09:09 -0700 (PDT)
Received: from lvps176-28-13-69.dedicated.hosteurope.de (lvps176-28-13-69.dedicated.hosteurope.de [176.28.13.69]) by ietfa.amsl.com (Postfix) with ESMTP id 4294621F86D1 for <websec@ietf.org>; Tue, 21 Aug 2012 12:09:09 -0700 (PDT)
Received: (qmail 7669 invoked from network); 21 Aug 2012 21:09:07 +0200
Received: from 94-194-102-93.zone8.bethere.co.uk (HELO ?192.168.1.65?) (94.194.102.93) by lvps176-28-13-69.dedicated.hosteurope.de with ESMTPSA (DHE-RSA-AES256-SHA encrypted, authenticated); 21 Aug 2012 21:09:07 +0200
Message-ID: <5033DCD3.8020004@gondrom.org>
Date: Tue, 21 Aug 2012 20:09:07 +0100
From: Tobias Gondrom <tobias.gondrom@gondrom.org>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0
MIME-Version: 1.0
To: Jeff.Hodges@KingsMountain.com
References: <5033D919.8070306@KingsMountain.com>
In-Reply-To: <5033D919.8070306@KingsMountain.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: websec@ietf.org
Subject: Re: [websec] HSTS: max-age=0 interacting with includeSubdomains
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2012 19:09:10 -0000

<hat="individual">

Jeff,

thanks a lot for the clarification.


On 21/08/12 19:53, =JeffH wrote:
> Tobias wrote:
> >
> > Would agree with Adam.
>
> agreed -- what Adam relates is how the spec and the implementations 
> have worked for ages.
>
>
> > And for Brian, I think there is actually one more use case that you
> > haven't considered:
> > Look at it in reverse order:
> > 1. We visit https://sub.example.com and receive HSTS with 
> max-age=1234567890
> > 2. We visit https://example.com and receive HSTS with max-age=0 ;
> > includeSubdomains
> >
> > as far as I remember that would actually clear HSTS for 
> sub.example.com?
>
> No, it would not do so.  As Adam said, the user agent maintains a list 
> of distinct host names which have issued the HSTS Policy (aka STS 
> header field).
>
> The above scenario would result in no entry for example.com, and an 
> entry for sub.example.com

Fine by me. Am just wondering on whether this is unambiguous enough from 
the draft?
Do we need to be more clear on that? Or did I miss a clarifying point on 
that somewhere in the draft?

Specifically my confusion came when reading 6.1.1 and 6.1.2 and trying 
to apply them as:

first 6.1.1.: "A max-age value of zero (i.e., "max-age=0") signals the UA to
           cease regarding the host as a Known HSTS Host."
and then the next sentence in 6.1.2. "..."includeSubDomains" directive 
is a valueless flag which,
    if present, signals to the UA that the HSTS Policy applies to this 
HSTS Host as well as any subdomains"

Could that be misread as "0" means cease HSTS and then 
"includeSubDomains" extends that meaning to all subdomains?

Just my 5cents,

Tobias




>
> =JeffH
>